berbew | 09548181dd5b04c472bfbc1f015ccd97e15ab428697c255552e0ab350ede71dd

Analysis

max time kernel
92s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09548181dd5b04c472bfbc1f015ccd97e15ab428697c255552e0ab350ede71dd.exe
Size

386KB
MD5

d4746e1a7609ed3d62b66e2cafad60ba
SHA1

c135c2549dd23ed602f53c00c7cc976e26f5b9ec
SHA256

09548181dd5b04c472bfbc1f015ccd97e15ab428697c255552e0ab350ede71dd
SHA512

a496c04aa9922ec33979dc846b7ead92587faf2aa318c4a9b511d7e4af55101533885671425e659221e40e01292de5168ac43b7b5ab80e540f9b3b3e7dad6e26
SSDEEP

12288:a/cy+NwQZ7287xmPFRkfJg9qwQZ7287xmP:U4ZZ/aFKm9qZZ/a

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	09548181dd5b04c472bfbc1f015ccd97e15ab428697c255552e0ab350ede71dd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4680	Ofnckp32.exe
4904	Oneklm32.exe
220	Opdghh32.exe
4828	Odocigqg.exe
3688	Ognpebpj.exe
4788	Ofqpqo32.exe
2088	Ojllan32.exe
1932	Olkhmi32.exe
3376	Oqfdnhfk.exe
1924	Odapnf32.exe
3392	Ogpmjb32.exe
1304	Ofcmfodb.exe
4660	Ojoign32.exe
3944	Onjegled.exe
4652	Oqhacgdh.exe
1052	Oddmdf32.exe
1220	Ocgmpccl.exe
1684	Ogbipa32.exe
1996	Ofeilobp.exe
448	Pnlaml32.exe
5004	Pqknig32.exe
3800	Pdfjifjo.exe
2508	Pcijeb32.exe
3136	Pfhfan32.exe
944	Pjcbbmif.exe
2036	Pmannhhj.exe
2160	Pqmjog32.exe
1456	Pclgkb32.exe
1412	Pggbkagp.exe
3104	Pfjcgn32.exe
2304	Pnakhkol.exe
2460	Pqpgdfnp.exe
3612	Pdkcde32.exe
640	Pgioqq32.exe
3412	Pjhlml32.exe
2044	Pncgmkmj.exe
1628	Pqbdjfln.exe
4972	Pcppfaka.exe
4420	Pfolbmje.exe
3652	Pjjhbl32.exe
232	Pmidog32.exe
3732	Pdpmpdbd.exe
1148	Pgnilpah.exe
468	Pfaigm32.exe
3008	Qnhahj32.exe
3576	Qqfmde32.exe
2092	Qceiaa32.exe
4916	Qfcfml32.exe
2964	Qjoankoi.exe
3480	Qmmnjfnl.exe
1752	Qddfkd32.exe
8	Qgcbgo32.exe
3528	Qffbbldm.exe
5048	Anmjcieo.exe
4500	Aqkgpedc.exe
4140	Acjclpcf.exe
1984	Afhohlbj.exe
2588	Ajckij32.exe
2360	Ambgef32.exe
776	Aeiofcji.exe
3904	Agglboim.exe
4012	Ajfhnjhq.exe
5148	Aqppkd32.exe
5188	Acnlgp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	09548181dd5b04c472bfbc1f015ccd97e15ab428697c255552e0ab350ede71dd.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe

Program crash 1 IoCs

pid	pid_target	Process
1644	3016	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09548181dd5b04c472bfbc1f015ccd97e15ab428697c255552e0ab350ede71dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	09548181dd5b04c472bfbc1f015ccd97e15ab428697c255552e0ab350ede71dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 4680	4300	09548181dd5b04c472bfbc1f015ccd97e15ab428697c255552e0ab350ede71dd.exe	82
PID 4300 wrote to memory of 4680	4300	09548181dd5b04c472bfbc1f015ccd97e15ab428697c255552e0ab350ede71dd.exe	82
PID 4300 wrote to memory of 4680	4300	09548181dd5b04c472bfbc1f015ccd97e15ab428697c255552e0ab350ede71dd.exe	82
PID 4680 wrote to memory of 4904	4680	Ofnckp32.exe	83
PID 4680 wrote to memory of 4904	4680	Ofnckp32.exe	83
PID 4680 wrote to memory of 4904	4680	Ofnckp32.exe	83
PID 4904 wrote to memory of 220	4904	Oneklm32.exe	84
PID 4904 wrote to memory of 220	4904	Oneklm32.exe	84
PID 4904 wrote to memory of 220	4904	Oneklm32.exe	84
PID 220 wrote to memory of 4828	220	Opdghh32.exe	85
PID 220 wrote to memory of 4828	220	Opdghh32.exe	85
PID 220 wrote to memory of 4828	220	Opdghh32.exe	85
PID 4828 wrote to memory of 3688	4828	Odocigqg.exe	86
PID 4828 wrote to memory of 3688	4828	Odocigqg.exe	86
PID 4828 wrote to memory of 3688	4828	Odocigqg.exe	86
PID 3688 wrote to memory of 4788	3688	Ognpebpj.exe	87
PID 3688 wrote to memory of 4788	3688	Ognpebpj.exe	87
PID 3688 wrote to memory of 4788	3688	Ognpebpj.exe	87
PID 4788 wrote to memory of 2088	4788	Ofqpqo32.exe	88
PID 4788 wrote to memory of 2088	4788	Ofqpqo32.exe	88
PID 4788 wrote to memory of 2088	4788	Ofqpqo32.exe	88
PID 2088 wrote to memory of 1932	2088	Ojllan32.exe	89
PID 2088 wrote to memory of 1932	2088	Ojllan32.exe	89
PID 2088 wrote to memory of 1932	2088	Ojllan32.exe	89
PID 1932 wrote to memory of 3376	1932	Olkhmi32.exe	90
PID 1932 wrote to memory of 3376	1932	Olkhmi32.exe	90
PID 1932 wrote to memory of 3376	1932	Olkhmi32.exe	90
PID 3376 wrote to memory of 1924	3376	Oqfdnhfk.exe	91
PID 3376 wrote to memory of 1924	3376	Oqfdnhfk.exe	91
PID 3376 wrote to memory of 1924	3376	Oqfdnhfk.exe	91
PID 1924 wrote to memory of 3392	1924	Odapnf32.exe	92
PID 1924 wrote to memory of 3392	1924	Odapnf32.exe	92
PID 1924 wrote to memory of 3392	1924	Odapnf32.exe	92
PID 3392 wrote to memory of 1304	3392	Ogpmjb32.exe	93
PID 3392 wrote to memory of 1304	3392	Ogpmjb32.exe	93
PID 3392 wrote to memory of 1304	3392	Ogpmjb32.exe	93
PID 1304 wrote to memory of 4660	1304	Ofcmfodb.exe	94
PID 1304 wrote to memory of 4660	1304	Ofcmfodb.exe	94
PID 1304 wrote to memory of 4660	1304	Ofcmfodb.exe	94
PID 4660 wrote to memory of 3944	4660	Ojoign32.exe	95
PID 4660 wrote to memory of 3944	4660	Ojoign32.exe	95
PID 4660 wrote to memory of 3944	4660	Ojoign32.exe	95
PID 3944 wrote to memory of 4652	3944	Onjegled.exe	96
PID 3944 wrote to memory of 4652	3944	Onjegled.exe	96
PID 3944 wrote to memory of 4652	3944	Onjegled.exe	96
PID 4652 wrote to memory of 1052	4652	Oqhacgdh.exe	97
PID 4652 wrote to memory of 1052	4652	Oqhacgdh.exe	97
PID 4652 wrote to memory of 1052	4652	Oqhacgdh.exe	97
PID 1052 wrote to memory of 1220	1052	Oddmdf32.exe	98
PID 1052 wrote to memory of 1220	1052	Oddmdf32.exe	98
PID 1052 wrote to memory of 1220	1052	Oddmdf32.exe	98
PID 1220 wrote to memory of 1684	1220	Ocgmpccl.exe	99
PID 1220 wrote to memory of 1684	1220	Ocgmpccl.exe	99
PID 1220 wrote to memory of 1684	1220	Ocgmpccl.exe	99
PID 1684 wrote to memory of 1996	1684	Ogbipa32.exe	100
PID 1684 wrote to memory of 1996	1684	Ogbipa32.exe	100
PID 1684 wrote to memory of 1996	1684	Ogbipa32.exe	100
PID 1996 wrote to memory of 448	1996	Ofeilobp.exe	101
PID 1996 wrote to memory of 448	1996	Ofeilobp.exe	101
PID 1996 wrote to memory of 448	1996	Ofeilobp.exe	101
PID 448 wrote to memory of 5004	448	Pnlaml32.exe	102
PID 448 wrote to memory of 5004	448	Pnlaml32.exe	102
PID 448 wrote to memory of 5004	448	Pnlaml32.exe	102
PID 5004 wrote to memory of 3800	5004	Pqknig32.exe	103

C:\Users\Admin\AppData\Local\Temp\09548181dd5b04c472bfbc1f015ccd97e15ab428697c255552e0ab350ede71dd.exe
"C:\Users\Admin\AppData\Local\Temp\09548181dd5b04c472bfbc1f015ccd97e15ab428697c255552e0ab350ede71dd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\SysWOW64\Ofnckp32.exe
  C:\Windows\system32\Ofnckp32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\Oneklm32.exe
    C:\Windows\system32\Oneklm32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\SysWOW64\Opdghh32.exe
      C:\Windows\system32\Opdghh32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        34⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        44⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        51⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        54⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        58⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5148
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        71⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        72⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        75⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        78⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        84⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2252
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        99⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        100⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        103⤵
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        105⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        113⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        114⤵
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        115⤵
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        117⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5104
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        123⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        125⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        126⤵
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        127⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        130⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 408
        131⤵
        Program crash
        
        PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3016 -ip 3016
1⤵
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beapme32.dll

Filesize
7KB

MD5
3969393c15e16030c66fd6cadb34f436

SHA1
3e0579555374fd5eeb253abb06951744181abcee

SHA256
03f54b88bab04318b504bc2190ddf3dcc63208a0b15f48047a33cda3ef7daf21

SHA512
33717b4da1e055c852b5a54f13f98955f24f83985c3a5d1620aae3b30b183208ad0b07fbf344fe87c6cbef64daf793a4c4b920ff560fae07a611f7453e923405

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
386KB

MD5
b41263955bc7cd2bbeb66fdec6872113

SHA1
3d1204b6c3b01275568a0f58f7ee38a66a28ccb1

SHA256
61b581f79c67fb69f7090fe1ad03990b924f2b68a31c3e145e2d66f8ce7f6fb0

SHA512
8be6f378db8eaaf381f9ec4050b505a01ecad83a07186e16cdf9298a89f99f8c8d13eed6caed78dcffae010375e1bae3fdc0952b9e518a36c2f1a5fcf40dd130

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
386KB

MD5
32f5ee69187327b5cf5f804dd45aa729

SHA1
862d6328c44a23c920b037228a31ad0167a659da

SHA256
e3b26132e2daa74fff00829c2c48ab7395fbaa5834bdf802a882dfcaaadac7b7

SHA512
9bbca292acbac767d400e4fda8fb8e56c2ef42d874dae03e234a3257198887c8a71800a1d265726df1a1b02d58a58df1a2dc7b3db7001c0e673b6b1b1616e8d4

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
386KB

MD5
af0233c89fa77122dc41cc4127ca6862

SHA1
5d890b7e4b002efe97ba15aa4187eb8def9c980b

SHA256
f1e53e36faede6c523921fbbcd4cfb786a3e381a020dfe60889cabaa5d18d638

SHA512
47473e06746f165e6e69793b52f41b015e8f0b3d9862692ee4089fa5f4e40509f48175ae5f918cb52c36a6f2f4df0e218374c70219ec44143e37464407b76ff3

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
386KB

MD5
2ad81d98eb2c9044f007995b0bd82c02

SHA1
c863fc52af6729914d5b22e84bba0da99ccc8abb

SHA256
22d0ae409f04df5df07c13e29b601795aa1af5ee3b92c978aae67b5fae30b286

SHA512
395897b9ba008053d2c203bb37c1b6efdab52887028020050b71fc2f3012b8d2112f71a9dd289eff7114b916c1302f89cd37777d88f4098328baad41c94370c6

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
386KB

MD5
013d5774390eb0e26b6d0c42743fc9ea

SHA1
8a68df0926de72530d68a951e53fbe2cec4fb0ec

SHA256
6ccedb3f77d2c4002cd1e41491b9fa1f025cea5ca695a588359e2e26dda82fa1

SHA512
61f4f5ad0906137bcc526d35d4d3116ded75e33a71d64dd89126faf202b888f32df712f5f6c3bd468b4e4fe097051b93fc68daf728aa92cba11b5c26a50e182d

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
386KB

MD5
37a8e958f0b289ddb09e829d4b2378f9

SHA1
443555a746067e50035d278403383bea6aed5a77

SHA256
92bd4cc8b9db5efa8d89d18f5a1597e4a6ebbfac80be0b3faa6b141afbd625b2

SHA512
cf3192bb6ba6d68981c9dd0009c00b1fc83856bb103ffabcab7710730ef788188d67b81b3a9d0e9fde89ece682797cb0ea73fe3ee4c11ad5aaab8235fecdfe19

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
386KB

MD5
4cc858264ae3a8378991213130e69434

SHA1
a91b5c5436c4389f8e840ed75bbf52955d7c7b2c

SHA256
1a331d0f34478366f818f153cfe6e80daff2290cd7f381e0c70df3a64d94e0ca

SHA512
916e43001a22d5292f42a1b7a683b31f5578729979036b8e88511fe59d44bf643704afae104bd8a078acd4153ef6a3f62d7ef2e431fad9965d7665003ebde073

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
386KB

MD5
407608c3bef19e59fa62327a4f4d3774

SHA1
57397784dcef8c98a8825483eec8bec01aa01392

SHA256
c4618c6451d1a93c986ef5e14c1457e1d10002fbf10797ed250e691f072cf313

SHA512
d8dd96c46cb294e271bf382b01cef3291525356a5f0a1f06e5a5255e3f17a06cec0bcf95aae6e14db70ee17a91f63bb67fdd9d338ce3df0934bc18a057e92cd4

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
386KB

MD5
90db38bb51ef24028a1e67bd67c46e92

SHA1
d5b2a82e3ffa91922e56e0315d737dc07676e431

SHA256
401674ef565908cb1413f73e349d0e991d71a67f7320cb72ac33e6c35a176730

SHA512
9444a259bccc7ca6a4da8f6fe3b6b355e38b0ab89c1a115fb6a01b04ef6859b474ccf1bd37e9e11ab82111380098820524c3cfd0e50e0bc9dacb85b78026b60e

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
386KB

MD5
054875f780af228e1164746bd5d5efc1

SHA1
5e91760fcd9281047e0f9420d5375eadd4c55be0

SHA256
b2f38d1deb78206bf96c5df3db4191d32467255f8b9d59ce8a59aa1ef24d25d7

SHA512
1c2401be8e1e92201648ae653bad6d0e94385544904ba19c2a2acfc2e17262297f32aea5c0c83eb534e4b2c77250cf63302d5bbeff96bd34f0c6dd44f016d4a2

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
386KB

MD5
799ee7ffc3670d7f4e30a00950e3a6f0

SHA1
c39f60779f2715a8fdd45d459a07117148c64638

SHA256
d2552cf73c7226382200ef3ae8894fb703c2d8c6b8e536a24ccde88dc3a8a796

SHA512
172cf9cf3df9c5f6b8d053a2dd47ddbf522722a76801ebd10013cfaa0a7b921867463b6a56c05bfc9ac74055ef115bf1f70ec11924b119c51bd1a9832bdfc33c

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
386KB

MD5
afa8c4c0990d765e461b13f2bab5cf81

SHA1
98558b09930269ff85cc21ca3b9a0f9b8999f5ad

SHA256
618a98bf2cabd8ce8f52355085c2cea7b7b7cf52bfaf830b393abb0e45f48cb4

SHA512
fe5e3125ddf64fa65ea6761836cf0f788b82fd65858fbd96d415ed4b6b9989e7ee5ed21b4385114a905978c39e76b10eaf1f417791d738978d41fa2da431c236

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
386KB

MD5
82e4749b1a72e8e60adcb17a00f0f47c

SHA1
6da3a76fb985239dbcb21554255e2c11745227e2

SHA256
6577e13eb00940918371d7859a6f6fbc8a12cbd2321f708c36341c06b8cd320f

SHA512
0bab8993a1c47b4e00d95209a9fd748db0243e47e1e1769a5dc6dcc10076e93f64fae3a29b7fc76b502d9ad1fcb5a813acd944777a03312f76a8ea7abc62598b

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
386KB

MD5
4817b7a705aaf6e97a0b187da5638e74

SHA1
19e2ca9795c8920e7b15163b047f3011300f4bf2

SHA256
cc1cb4186c90070e531d60a2c1f73e5c44efeb55369e1ccff3419bf0d67c0ef7

SHA512
d78543ad4bb2aac0fc79aef4c5584b87fbb5aef7c31d76ff4b0da17fdbda20adf75ee83d24e1db2b0383f4267e78d8a470a124fb3a4798ef98ea55be12d19555

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
386KB

MD5
4a433049de6a5b0649b62d9f980e1e51

SHA1
3fef7fdb82be2eac8e04425dcb3b2ca7265d5f50

SHA256
3b0986f7f8f43512b463a8fd02d0abc1e5b4e0e7f5e5752e879a17fdc9b4c5c3

SHA512
000f0fc84b33a330af1ff25b701831d151c1db9a57c29925c00c9eb8475ad9d21adc1835a5ddaaa163d67c4f58ea9f8ac563947ca1914db38b4807425a17cd66

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
386KB

MD5
9106fcc9d8654ba50b667ee455faff86

SHA1
62cbad8e2809aa6e04fe2ce45ce6af82a147161b

SHA256
e2c951bc516be56f2805c56462853c9bc50d07c40188d368c50303e3b2966c77

SHA512
d7c37dbbc55ca2127e40fc08e56320e8c5bb2480aba659697718214039d2caec6b613a25ef4cf6e7a120cd456f6d4f99cc79c26fd0c49e1075c9fa6928fb3da9

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
386KB

MD5
f28fe9fef3ef988aa83578192e6da352

SHA1
91f53ea75c8a57a0c6e5e10d421357fd0fbc8dc4

SHA256
a8b0e5ac525ef635809307ec39ac50db388790014a3af5ddd754fef66be67870

SHA512
8d715e1c7987d8c463b01b87ef2704286dd6d793b88f40012328bcabbf1c81bdf29d760a54d7c68ae13a2f15a0bfe327d545d648617b522500d273863cc1f866

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
386KB

MD5
6d7598d07b2f910a6c8b121eb56e6d53

SHA1
4e848f2f6dd638ac1d9cc3cef186a9a83e2ac460

SHA256
0d28745f55ef7233a4efdd0d3c7ef6205a455a1c4a5307e66e79e6c5c5749934

SHA512
bb56f9a5e49bca2afe3a2e3d88020dfcff073c3ad8ba4ab41a2e107bca20dbe2cc8fccd10e50d3aa0610be4581d69f12e438d72f4b94037a6f6885efa876dcef

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
386KB

MD5
594dae92079242813870cdfa49720660

SHA1
f56526633bfbdf343481bf03f0cc37f018ebf124

SHA256
f2ea3227b5154890aeed8469dec9c7747fdd2231b18e9d3cb526ed4600d81eb9

SHA512
2f730b273bd45957d25bc2d04ddc2230aeb5f523137eee1bbf41a79dc1a4e4d5ccbcf68f623ce81b25c2da65cab19cfdc5df4c61d34fd074c7af772a500c9fb4

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
386KB

MD5
70111c3ea1f7dfbcb205e067c4b4ac8b

SHA1
830b7f01c7317193449a09d191512be70d812b78

SHA256
7e0131ed649d39bcd85e8068398bc1f90be8106e41dc807d79e95e8d02ed9edc

SHA512
7bb5e059ed4a76ef59cfeea8958e2ea37290ecf315d578f2b4c809a65fd62a3d513ecb11db5d195df69f5de1709dd5d40290d76eaf7f6c33158831332ebde621

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
386KB

MD5
78ef01091ba6404439edd55fb303852f

SHA1
4ecef7c691e5e6b78916c0a951d79878c893e4b7

SHA256
91b0a50567fd83e45ec88f5aba31a40e0c267116e0158decf7ec97e661405797

SHA512
accaa76f9cc789762ee140df76ae1ca8e8a7bd253350b201b29071812b9fa4e7bb404b4937b15437fd2684ed1f64836a31daa7dab96d06e0a71903443331b159

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
386KB

MD5
86b14ca5ee8752a664dafb0d9ae2c032

SHA1
06944223f0d2268c3bedb20df00806819c47ff59

SHA256
6be34267b070e1b47c51ad127c526b7133e76a677a89efaadaf4e30fa92d76ca

SHA512
fba2418d72796bb87d50b7d653f1d65f54c1f01126ec547c0a216cbc0bc147fd1daa0ae2df3a75cfea06aaf522c9b4296bb1377d4a92d1745c8feb6d59e7887b

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
386KB

MD5
deb3ad27bff58862f44fbaedc3609688

SHA1
c01a734416f098270a121d835eb8fe8b628f658d

SHA256
f52494f5bd301043ea05b0e0d6b04230d35127c4bb56023fd959c63e02874b40

SHA512
e0d0610e08b7428dcc719e025aa365051837c978f30edfcaf989fa4f60106d5ea551b4ebf1edbec091fc0761bf629b6050f14f76ff6d508a8e01cd825d1d6e48

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
386KB

MD5
96ec7c78a19bef6102ee28897af34b46

SHA1
0f4a3f980b83f80e11dcd67334cce08328253257

SHA256
0e6b4c6f0713438332465bace776daf66649a3b14eb623a2f1bc92f0a4f58ff5

SHA512
dddbfd823ed1b24fe2e3b68d51429271a630acc02b4ee0553765c6f5dfce46c016bd073b55f37cf99d6b9082ed8c401362b81467e6e21a62a760cd2dec1428ea

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
386KB

MD5
ec711498b5afe0abcbb987c19295b61e

SHA1
ce64d4d4b8b2af7607997b05bd9f11cc18ef7790

SHA256
aa315469e4f120cf37a8646994db20bd702808d92029dc753a8c6da5c3166342

SHA512
89f5544fd9f299072dd3c68816319d56b8c2b84af0ea8d9aad8ee21305bfbec17f37415c0764feec5ebf691607c99f75185c41ffa95d3a6870211c1d5764f554

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
386KB

MD5
85e3178baed3481137428346288f8638

SHA1
9693976093f9f249f492da6bd7db2964c3fda07f

SHA256
c89bd3b608b12a39b2683cfeb78359446f382939c351a2d494de475b4ab2e666

SHA512
12aa3a6f7520c4f2c70d924d1e991e3da77803297ca7f25bb4256eaa2a2ba21642a55dc7184b08598845cd8784bf7e4662c3461e06be1de5f6f036b28da52ebe

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
386KB

MD5
62d5c253a05a7f0e0f30f362bee209ab

SHA1
61fd8c98d38a320efde2e2bfe3c6716a63cd4ab1

SHA256
cbb981e4ae2dd3600d264fc38fdbd0d81324c75bf32ad7693671bef2c0b2f2be

SHA512
f0e8826682da35e7e73bd0f4acbd9c796259aaec87c83a954c822e7d564da731001e6f342bdbef98751b446e645234072b74ee337ce8cdb04cf5439281095d80

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
386KB

MD5
4bc899126bd14dd39fe6d9dc1c75eb9a

SHA1
6c0e5d59d7fc6e13df31097702897761438e0503

SHA256
8a18bf20494c962d00955a84fb1521cfcf622d259af5e503d42fcd654e6a6829

SHA512
034c7f22daa7408daad29c192099bd68d8e6be059d304273b8d7a24613f6e5c9c36a7400be91fb59efb6207713a1f51d85e84568971ecfedd8611757d41d3893

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
386KB

MD5
045c0f51c8de436af07d48131fd5a219

SHA1
3e76b83c45251bee1e82f045b56e809147857fc7

SHA256
bd64df637845f5b12390fa6f51db1dc4972a1d659fb2accb85b60c1f0f5cd37b

SHA512
16ef2b0f4227ff085dff1118e19c53658b4a1a604fc3eb870d9a41d331927c9a1344f34d795ec5706307a98ad9cef7f6817f13662aa91e416c85cb8f15fe6829

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
386KB

MD5
53702bd6939176e233c4dc70ddaacd59

SHA1
91ff7ed05035c5d2f9d6c690d83b586c8c2f0b45

SHA256
38ebcbbd1d79d2fb1d1083aa21179775be0965d6e338f96c62afa0886c0d6145

SHA512
96ed2eb2d1a259e0d9b073707f91c815a4cd9e9014ecacec006294370a1b195f029aa98cf81354d0d49372ebaea8e71cb9a4e50d4f8c2e5d05b24841dab93d34

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
386KB

MD5
89ad08cf0d795f0827cd90c7b2b0a7fc

SHA1
77185d81bac80ce159ebfe2ee3ded456af790772

SHA256
0b87ffcc965e53a742c1d75e48fbd6804497bdac0012a773b588554fc1260d9e

SHA512
ac3273c73fc55509b9e5bee4e3ebd8a125811c4aa67471d886e7e095de963a4e9964f23ea3ce25c229426a0890a12bac4b8680bdb2804585709dd20c6876df49

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
386KB

MD5
6b9d76b48dc1bbdacdad38d3441c3db7

SHA1
86fcfbdfd0ddab7c890dcda84d222f3ae0efb0c0

SHA256
a209c4df1c0147e1579dd6be33080705d001f36ae21fc38cbb084444a4cda4c6

SHA512
958a12e79d6e438db48ba60551cae79d21dca4358753868ed19707f4ce2d723466f32a4f4caa4d25b8d345bac9ccddd090a9663d2f52d76251324dd108a6ffea

Download Submit
memory/8-378-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/220-35-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/220-561-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/232-313-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/448-163-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/448-662-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/468-331-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/628-838-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/640-271-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/776-424-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1052-132-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1052-638-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1148-325-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1220-645-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1220-140-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1304-615-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1304-100-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1412-234-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1456-227-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1628-288-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1628-1018-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1684-148-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1684-650-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1752-372-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1924-84-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1924-603-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1932-68-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1932-591-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1996-657-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2036-211-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2044-283-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2088-584-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2088-60-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2092-349-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2092-998-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2160-219-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2304-250-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2360-418-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2460-258-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2508-187-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2588-412-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2964-360-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3008-337-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3008-1002-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3104-243-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3136-195-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3376-596-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3376-77-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3392-92-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3392-608-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3412-277-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3480-366-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3528-384-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3576-343-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3612-264-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3652-307-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3688-566-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3688-43-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3688-1082-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3732-319-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3800-179-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3904-430-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3944-116-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3944-627-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4012-436-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4300-547-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4300-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4420-301-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4500-395-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4652-124-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4652-632-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4660-108-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4660-621-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4680-12-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4680-554-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4788-52-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4788-578-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4828-573-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4828-44-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4904-560-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4904-20-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4972-295-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5004-669-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5004-171-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5048-390-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5148-966-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5148-442-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5188-448-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5228-454-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5268-460-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5308-466-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5348-472-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5388-478-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5428-484-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5468-490-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5508-948-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5548-501-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5624-512-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5660-518-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5700-524-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5740-530-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5780-536-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/5820-542-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads